On Feb 12, 2008 9:02 AM, has <email@hidden> wrote:
On 10 Feb 2008, at 22:47, Rob Lewis wrote:
There's an interesting CGI called "x2web" that supports embedding
AppleScript code inside <applescript> and </applescript> tags.
I hope not - that would be incredibly unsafe on anything but a
completely closed and trusted system (see code injection attack).
? I'm assuming the AS is still run on the server, not the client...
If the OP, Rob, is talking about a server-side web programming or
templating system à la PHP where the embedded code is executed in
order to generate a finished HTML document to send to the user, then
ignore what I said because I thought he was meaning something different.
The way I read it, it sounded as if the server was serving up an HTML
file with embedded AppleScript code in it, and that code was
subsequently being sent back to the server to execute. Irresponsible
DHTML developers do this sort of thing sometimes with client-side
_javascript_; for example, having the _javascript_ construct things like
raw SQL queries and sending those directly to the server-side
database. A malicious user can easily substitute the embedded
_javascript_ with their own in order to do nasty things such as deleting
the entire database.
(FWIW, I did take a look at the x2web package to see if it made things
any clearer, but it's completely undocumented so I wasn't any the
wiser for it.)